After using multiple append=t and prestat=t
I am unable to use stats to capture the data into one nice line, as one of the tstat data might be late.
Is it possible to get Splunk to take the last value (if it does not exist) of each of the columns and place it at the end.
| mstats append=t prestats=t min("mx.service.status") min(mx.service.dependencies.status) min(mx.service.resources.status) min("mx.service.deployment.status") max("mx.service.replicas") WHERE "index"="metrics_test" service.type IN (agent-based launcher-based) AND mx.env=http://mx20267vm:15000 span=10s BY "service.name" "service.type"
| mstats append=t prestats=t max("mx.service.replicas") WHERE "index"="metrics_test" AND mx.env=http://mx20267vm:15000 service.type IN (agent-based launcher-based) span=10s BY service.name expected.count
| mstats append=t prestats=t min("mx.service.deployment.status") max("mx.service.replicas") WHERE "index"="metrics_test" service.type IN (agent-based launcher-based) AND mx.env=http://mx20267vm:15000 span=10s BY "service.name" "service.type" forked
| rename service.name as Service_Name,service.type as Service_Type
In the below image you can see in orange for this time 13:51:30, that only some of the data arrived at that time. The issue is if I do a stats on that and take the 13:51:30 "Status_numeric" + "Dependencies" are blank.
I have tried streamstats and it kind of works but in this case (below), Deployment did not get a value.
Also, i don't know how to get forked and Expected to the last time stamp...any help would be great thanks
filldown work if the field is null - higher up in your search you have fillnull value="" so you don't have nulls anymore, you have blank fields. These are two different things. Either remove the fillnull if appropriate or re-evaluate fields which equal "" to null()
Have you tried filldown?
Hi
Thanks for getting back to me.
This sounds perfect, but I cant get it to work like the doc said it would. Some fields don't "service_type" fill and other jump value.. it should be 2 but 0 have being introduced ..any ideas
filldown work if the field is null - higher up in your search you have fillnull value="" so you don't have nulls anymore, you have blank fields. These are two different things. Either remove the fillnull if appropriate or re-evaluate fields which equal "" to null()
Brill thanks - I needed this to make it work - | eval yourfield=if(yourfield="", null(), yourfield) @xpac thanks for the SPL 🙂